Application for requesting multi-person authentication

ABSTRACT

A first user device includes a camera. The first user device receives a challenge-response message following a request for access to a secure server. The first user device captures a first image of the first user. The first image includes an image of at least a portion of a face of the first user. An authentication result from facial recognition scan of the second user is received. Facial recognition is used to determine that the face of the first user is a face of an authorized user of the secure server. The first user device generates and sends a response to the challenge-response message based on results of facial recognition and the received authentication results.

CROSS-REFERENCE TO RELATED APPLICATION

The application is a continuation of U.S. patent application Ser. No.16/985,833, filed Aug. 5, 2020, by Derryn Robert Bronstein, and entitled“APPLICATION FOR REQUESTING MULTI-PERSON AUTHENTICATION,” which isincorporated by reference.

TECHNICAL FIELD

The present disclosure relates generally to user authenticationtechnology. More particularly, in certain embodiments, the presentdisclosure is related to an application for requesting multi-personauthentication.

BACKGROUND

User authentication may be requested before a user is granted access tosecure information and/or services. The purpose of user authenticationis to determine that the user is an authorized individual who should begranted access to the secure information and/or services. For example, auser may be requested to provide a username and password to access asecure service, such as a service used to review and update personalinformation.

SUMMARY

In an embodiment, a system includes a multi-person authentication serverwhich receives an authentication request corresponding to a request toprovide a first user access to a secure server. In response to theauthentication request, a challenge-response message is provided to thefirst user device. The challenge-response message indicatesauthentication of the first user of the first user device is needed anddirects the first user device to capture a first image of a face of thefirst user. A push notification is also provided to a second userdevice. The push notification indicates confirmation of theauthentication of the first user of the first user device is needed anddirects the second user device to capture a second image of a face ofthe second user and provide an authentication result to the first userdevice. A response to the challenge-response message is received fromthe first user device. The response indicates the first user isauthorized to access the secure server if the first image is an image ofan authorized user of the secure server and the second image is an imageof an administrator of the secure server. The response indicates thefirst user is not authorized to access the secure server if one or bothof the following are true: (1) the first image is not the image of theauthorized user of the secure server and (2) the second image is not theimage of the administrator of the secure server. If the receivedresponse indicates the first user is authenticated, the first user isallowed to access the secure server. If the received response indicatesthe first user is not authenticated, the first user is prevented fromaccessing the secure server.

In another embodiment, a system includes a secure server and a firstuser device. The first user device includes a camera operable to capturea first image of a first user of the user device. The first user devicereceives a challenge-response message following a request for access tothe secure server by the first user. Following receipt of thechallenge-response message, the first user of the first user device isprompted to operate the camera to capture the first image of the firstuser. The first image includes an image of at least a portion of a faceof the first user. A second image of a second user is received thatincludes an image of at least a portion of a face of the second user.Facial recognition is used to determine that the face of the first userincluded in the first image corresponds to a face of an authorized userof the secure server. Facial recognition is used to determine that theface of the second user included in the second image corresponds to aface of an authorized administrator of the secure server. The first userdevice generates a response to the challenge-response message. If boththe face of the first user corresponds to the face of the authorizeduser of the secure server and the face of the second user corresponds tothe face of the authorized administrator of the secure server, theresponse indicates the first user is authorized to access the secureserver. If one or both of the face of the first user does not correspondto the face of the authorized user of the secure server and the face ofthe second user does not correspond to the face of the authorizedadministrator of the secure server, the response indicates the firstuser is not authorized to access the secure server.

In yet another embodiment, a system includes a secure server configuredto host one or more secure applications and a first user device. Thefirst user device includes a camera operable to capture a first image ofa first user of the first user device. The first user device receives anotification that indicates confirmation of authentication of a seconduser of a second user device is needed after the second user requestsaccess to the secure server. Following receipt of the notification, thefirst user device captures a first image of the first user. The firstimage includes at least a portion of a face of the first user. The firstimage is provided for presentation on the second user device.

Previous technology used for user authentication suffers from severaldisadvantages. For example, this disclosure recognizes thatauthentication techniques which rely on input from a single user (e.g.,input of security credentials such as a password, PIN number, or thelike) may be susceptible to compromise by a bad actor. For example, abad actor may obtain a user's security credentials and use thesecredentials to gain access to secure information. Also, previoustechnology based on an authentication from a single user may becompromised if a bad actor obtains the user's device.

Certain embodiments of this disclosure provide unique solutions to thetechnical problems of previous authentication technology, includingthose problems identified above by facilitating a new multi-personauthentication approach which involves the authentication of at leasttwo authorized individuals before access is provided to secureinformation and/or services. For example, the disclosed systems provideseveral technical advantages, which include: 1) improved authenticationsecurity via a multi-person authentication process involving image-basedauthentication of two individuals; 2) the user-friendly, efficient, andsecure request of authentication using a specially designedauthentication-request application; and 3) the user-friendly, efficient,and secure confirmation of requested authentication via a speciallyconfigured authentication-confirmation application. As such, thisdisclosure may improve the function of computer systems used to provideuser authentication prior to providing access to secured informationand/or services by facilitating a unique multi-person authenticationapproach.

In some embodiments, improvements provided by this disclosure areincorporated into the practical application of a multi-personauthentication server. The multi-person authentication server mayreceive a request from a user to access a secure server and, inresponse, provide a challenge-response message to the requesting userand a push notification instructing an appropriate confirming user(e.g., an administrator of the secure server) to take part in theauthentication process. Once a confirmation response is received that isbased on input from both users (e.g., verification of securitycredentials and user identities based on facial recognition), the servermay allow the requesting user to access the secure information. Themulti-person authentication server facilitates the efficient routing ofrequests to multiple user devices for secure and efficientauthentication of user access based on the multi-person authenticationapproach described in this disclosure.

In some embodiments, improvements provided by this disclosure areincorporated into the practical application of a requesting user devicewhich executes an authentication-request application. Theauthentication-request application is executed on a user device, such asa smartphone, and allows the requesting user to request and gain accessto secure data using multi-person authentication. Theauthentication-request application receives a notification thatauthentication to access secure data is requested. A user of therequesting device may enter appropriate security credentials and maysubsequently be presented with a user interface that facilitatesefficient and secure multi-person authentication based on facialrecognition. The device captures and presents an image of the user inone portion of the device's display and receives and presents an imageof a confirming user in another portion of the display. Facialrecognition may be used to determine if both users are authenticatedbefore the user is allowed to access the requested information and/orservices. In some embodiments, the facial recognition tasks forverifying identities of multiple users are performed entirely by theuser device to ensure the authentication process for all users cannot becompromised by a single point of failure (e.g., if an associatedauthentication server were to be compromised).

In some embodiments, improvements provided by this disclosure areincorporated into the practical application of a confirming user devicewhich executes an authentication-confirmation application. Theauthentication-confirmation application is executed on a user device,such as a smartphone, and allows a confirming user (e.g., anadministrator of a server storing information and/or hostingapplications with restricted user access rules) to provide confirmationof a request to access secure information and/or services. Theauthentication-confirmation application receives a notification thatconfirmation is requested for accessing secure information and/orservices. A user of the confirming device may enter security credentialsand present his/her face for imaging by a camera of the device. Thedevice captures the image of the user, performs facial recognition-basedauthentication, and provides the authentication result to an appropriatedevice (e.g., the requesting user device described above). In someembodiments, the image of the user is provided to the requesting userdevice, and facial recognition-based authentication of the confirminguser is performed at the requesting user device. In some embodiments, animage of the user requesting access to the secure information and/orservices may be presented on a display of the device (e.g., similarly toas described above with respect to the authentication-requestapplication). In some embodiments, the user may further provideconfirmation via an input indicating whether the image includes the faceof an individual known to have access to the secure information and/orservices.

Certain embodiments of this disclosure may include some, all, or none ofthese advantages. These advantages and other features will be moreclearly understood from the following detailed description taken inconjunction with the accompanying drawings and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of this disclosure, reference is nowmade to the following brief description, taken in connection with theaccompanying drawings and detailed description, wherein like referencenumerals represent like parts.

FIG. 1 is a schematic diagram of an example system for multi-personauthentication;

FIGS. 2A, 2B, and 2C are diagrams illustrating examples of informationpresented on a display of an example requesting user device of FIG. 1 ;

FIGS. 3A and 3B are diagrams illustrating examples of informationpresented on a display of an example confirming user device of FIG. 1 ;

FIG. 4 is a block diagram of an example multi-person authenticationserver of the system of FIG. 1 ;

FIG. 5 is a flow diagram illustrating an example operation of themulti-person authentication server of FIGS. 1 and 4 ;

FIG. 6 is a block diagram of an example requesting user device of thesystem of FIG. 1 ;

FIG. 7 is a flow diagram illustrating an example operation of therequesting user device of FIGS. 1 and 6 ;

FIG. 8 is a block diagram of an example confirming user device of thesystem of FIG. 1 ;

FIG. 9 is a flow diagram illustrating an example operation of theconfirming user device of FIGS. 1 and 8 ; and

FIG. 10 is a block diagram of an example device for implementing othercomponents of the system of FIG. 1 .

DETAILED DESCRIPTION

As described above, previous authentication technology has severaldisadvantages. For instance, previous authentication strategiesinvolving information (e.g., security credentials) provided by a singleuser may be susceptible to compromise by a single bad actor. Thisdisclosure provides solutions to these and other problems of previoustechnology by facilitating multi-person user authentication. FIG. 1illustrates an example system for performing multi-personauthentication. FIGS. 2A-C illustrate views of a user interfacepresented on a device for requesting multi-person authentication. FIGS.3A-3B illustrate views of a user interface presented on a device forconfirming permission for multi-person authentication. FIGS. 4 and 5illustrate an example multi-person authentication server and an examplemethod of its operation. FIGS. 6 and 7 illustrate an example device forrequesting multi-person authentication and an example method of itsoperation. FIGS. 8 and 9 illustrate an example device for confirmingmulti-person authentication and an example method of its operation. FIG.10 illustrates an example device for implementing other components ofthe system of FIG. 1 .

Multi-Person Authentication System

FIG. 1 is a schematic diagram of an example system 100 for theauthentication of a user 104 to access a secure server 108. The system100 includes one or more requesting user devices 102 a,b, a secureserver 108, an authentication server 116, a multi-person authenticationserver 124, and confirming user devices 134 a,b. As described in greaterdetail below with respect to FIGS. 4 and 5 , the multi-personauthentication server 124 generally facilitates multi-personauthentication by sending a challenge-response message 130 to anappropriate requesting user device 102 a,b and a push notification to anappropriate confirming user device 134 a,b in response to a request 122for multi-person authentication.

The user devices 102 a,b are generally any computing devices operable toprovide a request 106 for access to the secure server 108, capture animage of the requesting user 104, receive a challenge-response message130, and/or generate a corresponding verification response 138. In someembodiments, the requesting user 104 (e.g., the individual requestingaccess to the secure server 108) may operate more than one user device102 a,b to request and gain access to the secure server 108. Forexample, the user 104 may initially request access to the secure server108 from a first user device 102 a, such as a personal computer.Meanwhile, multi-person authentication may be performed through a seconduser device 102 b, such as a smartphone, as illustrated in the exampleof FIG. 1 . A user device 102 a,b generally includes a user interface(e.g., a touchscreen, a display and keypad, and/or the like) operable toprovide user input and display captured user images (see FIGS. 2A-2C).The user devices 102 a,b also include a camera operable to capture animage of the user 104. Examples of the use of a user device 102 a,b aredescribed below with respect to FIGS. 2A-2C. An example user device 102a,b and its operation are also described with respect to FIGS. 6 and 7below.

The secure server 108 is generally a suitable server (e.g., including aphysical server and/or virtual server) operable to store secure data 110and/or provide access to secure application(s) 112 or other serviceswith restricted access. The secure data 110 may be data which shouldonly be viewed or accessed by a user 104 who has been preapproved tohave access to this data 110. For example, the secure data 110 mayinclude personal information, private information, and/or the like. Asecure application 112 may be an application which may be employed toreview secure data 110 or to which access is otherwise restricted. Thesecure server 108 may be implemented using the processor, memory, andinterface of the device 1000 described below with respect to FIG. 10 .

The authentication server 116 is a device or collection of devicesoperable to perform an initial authorization of the requesting user 104using single-user authentication (e.g., based on a security credentialor the like provided with the user's request 106 to access the secureserver 108). The authentication server 116 includes authenticationinstructions 118 which include any instructions, code, or rules fordetermining whether the requesting user 104 is initially authorized torequest access to the secure server 108. For example, the authorizationinstructions 118 may include code for implementing a comparison ofsecurity credentials, such as a username and password combination,provided by the user 104 to a set of combinations of usernames andpasswords that are associated with authorized users of the secure server108. If the user 104 fails to pass this initial authentication (e.g., ifthe username and password do not match a predetermined username andpassword), then the user 104 may be denied access to the secure server108. Otherwise, if the user 104 passes this initial authentication(e.g., if the username and password match a predetermined username andpassword), then further authentication tasks are performed by themulti-person authentication server 124 and user devices 102 a,b, 134a,b. For example, a multi-person authentication request 122 may bedirected to the multi-person authentication server 124, and user accessmay only be provided based on the confirmation/denial 140 of this accessfrom the multi-person authentication server 124. The authenticationserver 116 may be implemented using the processor, memory, and interfaceof the device 1000 described below with respect to FIG. 10 .

The multi-person authentication server 124 is a device or collection ofdevices operable to perform further authentication of the requestinguser 104 based on a verification response 138 received from the userdevice 102 a,b. As described further with respect to FIGS. 2A-2C, 6, and7 , the user device 102 a,b determines the verification response 138based on images of both the requesting user 104 and confirming user 136a,b. The multi-person authentication server 124 includes confirmationprofiles 126 and authentication instructions 128. The confirmationprofiles 126 include information for matching authentication requests122 to appropriate confirming users 136 a,b. For example, theconfirmation profiles 126 may include an ordered list of confirmingusers 136 a,b who should be instructed via notification 132 a,b toparticipate in multi-person authentication (see also FIG. 6 ). Theauthentication instructions 128 include any instructions, code, or rulesfor determining whether the user 104 should be confirmed or deniedaccess to the secure server 108 based on properties of the verificationresponse 138 generated by the requesting user device 102 a,b. An examplemulti-person authentication server 124 and its operation are describedwith respect to FIGS. 4 and 5 below.

While the authentication server 116 and multi-person authenticationserver 124 are shown as a separate components of the system 100, itshould be understood that, at least in some embodiments, some or all ofthe servers 116 and 124 may be combined such that functions of theauthentication server 116 may be performed by the multi-personauthentication server 124 (described below). For instance, in somecases, an existing secure server 108 may already be configured tofunction in combination with an authentication server 116, whichprovides single-user authentication (e.g., based on a username andpassword, or the like). In such cases, the multi-person authenticationserver 124 may be added to the system 100, and a multi-personauthentication request 122 may be routed to the multi-personauthentication server 124 (e.g., rather than immediately allowing useraccess after passing the authentication functions of server 116). Inother cases, a secure server 108 (e.g., that is not already deployedwith a corresponding authentication server 116) may be coupled to amulti-person authentication server 124 that is also operable to performthe single-user authentication tasks of the authentication server 116.

The confirming user devices 134 a,b are generally any computing devicesoperable to receive a push notification 132 a,b associated with arequest 122 for user authentication, capture an image of the user 136a,b operating the device 134 a,b, perform facial recognition-basedauthentication of the user 136 a,b, and provide an authentication resultthe requesting user device 102 a,b. The image may be used by therequesting user device 102 a,b to verify that the user 104 is authorizedto access the secure server 108 (see FIGS. 2A-2C, 6, and 7 ). A userdevice 134 a,b generally includes a user interface (e.g., a touchscreen,a display and keypad, and/or the like) operable to provide user inputand display captured user images (see FIGS. 3A and 3B). The user devices134 a,b also include a camera operable to capture an image of the user136 a,b. Examples of the use of a user device 134 a,b are describedbelow with respect to FIGS. 3A and 3B. An example user device 134 a,band its operation are described with respect to FIGS. 8 and 9 below.

In an example operation of the system 100, a user 104 operates a firstrequesting device 102 a to provide a request 106 for access to thesecure server 112. For example, the user 104 may wish to view a portionof the data 110 stored in the server 108 and/or use an application 112hosted by the server 108. The request 106 may include securitycredentials (e.g., a username and password) for accessing the secureserver 108. In response to receiving the request 106, the secure server108 may communicate with the authorization server 116 to determinewhether the user 104 is initially authenticated to access the server108. For example, the secure server 108 may provide an authenticationrequest 114 to the authentication server 116. The request 114 mayinclude the security credentials (e.g., the username and password) thatthe user 104 provided. The authentication server 116 uses theauthentication instructions 118 to determine if the user 104 should beinitially authenticated. For example, if the security credentialsprovided in the request 114 match predefined credentials associated withthe authentication instructions 118, the authentication server 116 maydetermine that the user 104 is initially authenticated and thatmulti-person authentication should be performed. The authenticationserver 116 returns a confirmation or denial 120 of the initialsingle-user authentication performed by the server 116.

In a case where the authentication server 116 confirms that the user 104is initially authenticated, the secure server 108 provides amulti-person authentication request 122 to the multi-personauthentication server 124. The multi-person authentication request 122may include an identifier of the user 104 and/or of a device 102 a,b ofthe user 104. For example, if the user 104 uses the second requestingdevice 102 b for multi-person identification, the request 122 mayinclude an identifier of this device 102 b such that multi-personauthentication may be conducted via this device 102 b (as describedfurther with respect to FIGS. 2A-2C, 6, and 7 below). The request 122may further include an identifier of the data 110 and/or application(s)112 to which the user 104 is requesting access. This information mayfacilitate the identification of one or more confirming users 136 a,bwho are appropriate for further authenticating the user 104 via theconfirming device 134 a,b, as described further below with respect toFIGS. 3A-3B, 8, and 9 ).

Following receipt of the request 122 for multi-person authentication,the multi-person authentication server 124 sends a challenge-responsemessage 130 to the requesting user device 102 a,b. The multi-personauthentication server 124 may use information included in themulti-person authentication request 122 (e.g., the identifier of theuser 104 and/or the user device 102 b) to determine which device 102 a,bshould receive the challenge-response message 130. Thechallenge-response message 130 generally includes instructions to beginfacial-recognition based multi-person authentication with the userdevice 102 a,b (see FIGS. 2A-2C and corresponding description below). Insome cases, the challenge-response message 130 is sent to the samedevice 102 a the user 104 operated to request access to the server 108(e.g., the message 130 may be sent to the user's personal computer).However, in other cases such as is illustrated in FIG. 1 , thechallenge-response message 130 is provided to the second user device 102b that has been assigned the task of multi-person user authentication.

The multi-person authentication server 124 also determines one or moreconfirming users 136 a,b who are appropriate for confirming an identityand/or the access privileges of the user 104. For example, themulti-person authentication server 124 may use the confirmation profiles126 to identify a confirming user 136 a,b who has administrativeprivileges over data 110 and/or application(s) 112 to which the user 104is requesting access. The confirming user 136 a,b may be an individualthat is associated with the user 104 (e.g., is a manager of the user104, works in a same organizational group as the user 104, etc.). Thepush notification 132 a,b generally includes instructions for initiatingacquisition of an image of the confirming user 136 a,b, which isprovided to the requesting device 102 b, for example, to be used forfacial recognition-based user authentication (see FIGS. 2A-2C and3A-3B). If a first selected confirming user 136 a is non-responsive forgreater than a threshold time (e.g., of five minutes or so), then themulti-person authentication server 124 may cancel the notification 132 asent to the first confirming user 136 a and send a second notification132 b to a second confirming user 136 a,b. The second confirming user136 b may be the next person in the list of confirming users who haveadministrative privileges over data 110 and/or application(s) 112requested by user 104 (see, e.g., FIGS. 4 and 5 and correspondingdescription below).

FIGS. 2A-2C illustrate views 200, 220, 250 of the user interfacepresented on the user device 102 a,b at various stages in themulti-person authentication process using the authentication-requestapplication. The device 102 a,b includes a camera 202 and a display 204.The device 102 a,b executes the authentication-request application whichmay implement at least a portion of the multi-person authenticationprocess described in this disclosure. The display 204 is a touchscreenin the example of FIGS. 2A-2C. FIG. 2A shows a first view 200 presentedon the display 204 of the device 102 a,b. The view 200 includes a field206 for entry of security credentials by the user 104 and a keypad 208for entering security credentials (e.g., a PIN, password, or the like).Following entry of the security credentials and confirmation of theentered credentials (see FIGS. 6 and 7 ), the camera 202 captures animage 224 of the requesting user 104 and receives an image 222 of theconfirming user 136 a,b that is obtained by the confirming user device134 a,b.

View 220 of FIG. 2B shows a split screen presented on the display 204 ofthe device 102 a,b with the image 222 of the confirming user 136 a,b inone portion of the split screen and the image 224 of the requesting user104 in another portion of the split screen. In some embodiments, theimages 222 and 224 are part of corresponding video feeds obtained fromdevices 134 a,b and 102 a,b, respectfully. In such embodiments, theimages 222, 224 may represent these video feeds, such that images 222,224 appear as a video chat session between the requesting user 104 andthe confirming user 136 a,b. As shown in view 250 of FIG. 2C, facialrecognition may be used to verify the identity of the requesting user104 based on image 224. In some cases, the identity of the confirminguser 136 a,b may also be verified based on image 222 (e.g., if facialrecognition-based authentication is not performed by the confirmingdevice 134 a,b). Regions 252, 254 near the faces of the images 222, 224may be used to perform facial recognition. If the identities of bothusers 104, 136 a,b are verified, a verification message 256 may bepresented on the display 204 of the device 102 a,b. The requestingdevice 102 a,b and its operation are described in greater detail belowwith respect to FIGS. 6 and 7 . While the examples of FIGS. 2A-2Cillustrate multi-person authentication based on images 222, 224 of twousers (e.g., a requesting user 104 and a single confirming user 136a,b), it should be understood that multi-person authentication couldinvolve images of more than one confirming user 136 a,b. For example,multi-person authentication may involve identity verification of therequesting user 104 and two or more of the confirming users 136 a,b.

FIGS. 3A and 3B illustrate views 300, 350 of the user interfacepresented on the confirming device 134 a,b at various stages in themulti-person authentication process using theauthentication-confirmation application. The device 134 a,b includes acamera 302 and a display 304, which may be the same or similar to thecamera 202 and display 204 described above with respect to FIGS. 2A-2C.The device 102 a,b executes the authentication-confirmation applicationwhich may implement at least a portion of the multi-personauthentication process described in this disclosure. FIG. 3A shows afirst view 300 presented on the display 304 of the device 134 a,b. Theview 300 includes a field 306 for entry of security credentials by theuser 136 a,b and a keypad 308 for entering the security credentials.Following entry of the security credentials and confirmation of theentered credentials (see FIGS. 8 and 9 ), the camera 302 captures animage 352 of the confirming user 136 a,b and may receive an image 354 ofthe requesting user 104 that is obtained by the requesting user device102 a,b.

View 350 of FIG. 3B shows a split screen presented on the display 304 ofthe device 134 a,b with the image 352 of the confirming user 136 a,b inone portion of the display 304 and the image 354 of the requesting user104 in another portion of the display 304. Image 352 and 354 may be thesame as images 222 and 224, respectively, of FIGS. 2B and 2C, describedabove. Similarly to as described above for FIG. 2B, in some embodiments,the images 352 and 354 are part of corresponding video feeds obtainedfrom devices 134 a,b and 102 a,b, respectfully. In such embodiments, theimages 352, 354 may represent these video feeds, such that images 352,354 appear as a video chat session between the requesting user 104 andthe confirming user 136 a,b. In some embodiments, the confirming device134 a,b uses facial recognition to verify that the identity of theconfirming user 136 a,b corresponds to an identity of an individual whois authorized to confirm access to the secure server 108. In otherembodiments, the image 352 may be provided to the requesting device 102a,b, and the requesting device 102 a,b may use the image (e.g., image222 in FIGS. 2B and 2C) to authenticate the requesting user 136 a,b. Ifthe identities of both users 104, 136 a,b are verified, a verificationmessage 362 may be presented on the display 304 of the device 134 a,b.

In some cases, the authentication-confirmation application may present arequest 356 for the confirming user 136 a,b to indicate whether theimage 354 corresponds to a user who is known to have permission toaccess the secure server 108. The confirming user 136 a,b may provide aninput to confirm (e.g., by selecting the “YES” button 358) or deny(e.g., by selecting the “NO” button 360) that the user 104 should begranted access to the secure server 108. If the confirming user 136 a,bconfirms that the image 354 is of an authorized user of the secureserver 108, then the user 136 a,b may be authenticated using facialrecognition as described above or the image 354 may be provided for useby the requesting device 102 b (e.g., the image 354 may be transmittedvia the multi-person authentication server 124 or another network suchthat it may be used as image 222 of FIGS. 2B and 2C for facialrecognition-based user authentication). The confirming device 134 a,band its operation are described in greater detail below with respect toFIGS. 8 and 9 .

Returning to FIG. 1 , the user device 102 a,b provides a verificationresponse 138 indicating whether the user 104 has been verified (e.g.,based on the results of the facial recognition-based verificationillustrated in FIG. 2C). The multi-person authentication server 124 thenprovides a confirmation or denial 140 of access to the secure server104, and the secure server 108 uses the confirmation or denial 140 toeither provide or deny access to the secure server 108. Thedetermination and provision of the confirmation or denial 142 of accessto the secure server 108 is described in greater detail below withrespect to FIGS. 4 and 5 .

Example Multi-Person Authentication Server and its Operation

FIG. 4 is an example of a multi-person authentication server 124 of FIG.1 . The multi-person authentication server 124 includes at least oneprocessor 402, at least one memory 404, and a network interface 406. Themulti-person authentication server 124 may be configured as shown or inany other suitable configuration.

The processor 402 comprises one or more processors operably coupled tothe memory 404. The processor 402 is any electronic circuitry including,but not limited to, state machines, one or more central processing unit(CPU) chips, logic units, cores (e.g. a multi-core processor),field-programmable gate array (FPGAs), application specific integratedcircuits (ASICs), or digital signal processors (DSPs). The processor 402may be a programmable logic device, a microcontroller, a microprocessor,or any suitable combination of the preceding. The processor 402 iscommunicatively coupled to and in signal communication with the memory404 and the network interface 406. The one or more processors areconfigured to process data and may be implemented in hardware orsoftware. For example, the processor 402 may be 8-bit, 16-bit, 32-bit,64-bit or of any other suitable architecture. The processor 402 mayinclude an arithmetic logic unit (ALU) for performing arithmetic andlogic operations, processor registers that supply operands to the ALUand store the results of ALU operations, and a control unit that fetchesinstructions from memory and executes them by directing the coordinatedoperations of the ALU, registers and other components. The one or moreprocessors are configured to implement various instructions. Forexample, the one or more processors are configured to executeinstructions to implement the function disclosed herein, such as some orall of those described with respect to FIGS. 1 and 5 . In someembodiments, the function described herein is implemented using logicunits, FPGAs, ASICs, DSPs, or any other suitable hardware or electroniccircuitry.

The memory 404 is operable to store any of the information describedwith respect to FIGS. 1 and 5 along with any other data, instructions,logic, rules, or code operable to implement the function(s) describedherein when executed by processor 402. For example, the memory 404 maystore confirmation profiles 126 and authentication instructions 128. Asdescribed above with respect to FIG. 1 , the confirmation profiles 126may include an ordered list of confirming users 136 a,b who should becontacted (via notification 132 a,b) to participate in multi-personauthentication. For example, as illustrated in FIG. 4 , the confirmationprofiles 126 may include for each application 408 a,b hosted on thesecure server 108, a set of confirmation user identities 410 a,b, 412a,b. When multi-person authentication is requested to access a givenapplication 408 a,b (i.e., based on receipt of request 122 of FIG. 1 ),the multi-person authentication server 124 may first provide anotification 132 a,b to the user 136 a,b corresponding to the initialconfirming user identity 410 a,b. Users 136 a,b corresponding tosubsequent confirming user identities 412 a,b in the set or list ofusers for the requested application 408 a,b may be contacted if aconfirming user 136 a,b corresponding to the initial user identity 410a,b is unresponsive to the notification 132 a,b (e.g., within apredefined time limit). The authentication instructions 128 include anyinstructions, code, or rules for determining whether the user 104 shouldbe confirmed or denied access to the secure server 108 based onproperties of the verification response 138 generated by the requestinguser device 102 a,b. For instance, the authentication instructions 128may include instructions to confirm access is granted if the user 104 isverified by the device 102 a,b (see FIG. 2C and correspondingdescription above). The memory 404 comprises one or more disks, tapedrives, or solid-state drives, and may be used as an over-flow datastorage device, to store programs when such programs are selected forexecution, and to store instructions and data that are read duringprogram execution. The memory 404 may be volatile or non-volatile andmay comprise read-only memory (ROM), random-access memory (RAM), ternarycontent-addressable memory (TCAM), dynamic random-access memory (DRAM),and static random-access memory (SRAM).

The network interface 406 is configured to enable wired and/or wirelesscommunications. The network interface 406 is configured to communicatedata between the multi-person authentication server 124 and othernetwork devices, systems, or domain(s). For example, the networkinterface 406 may comprise a WIFI interface, a local area network (LAN)interface, a wide area network (WAN) interface, a modem, a switch, or arouter. The processor 402 is configured to send and receive data usingthe network interface 406. The network interface 406 may be configuredto use any suitable type of communication protocol as would beappreciated by one of ordinary skill in the art.

FIG. 5 is a flow diagram illustrating an example method 500 ofmulti-person authentication. The method 500 may be implemented using themulti-person authentication server 124 of FIGS. 1 and 4 . As describedabove with respect to FIGS. 1 and 4 , the multi-person authenticationserver 124 facilitates multi-person authentication based on information(e.g., images and/or security credentials) provided by both a user 104who is requesting access to a secure server 108 and a confirming user136 a,b who has appropriate administrative privileges for verifying thatthe user 104 should be allowed access to the secure server 108. Themethod 500 may begin at step 502 where a multi-person authenticationrequest 122 is received by the multi-person authentication server 124.The multi-person authentication request 122 may include an identifier ofthe user 104 and/or of a device 102 a,b of the user 104. For example, ifthe user 104 uses his/her second device 102 b for executing anauthentication-request application, the request 122 may include anidentifier of this device 102 b such that certain multi-personauthentication tasks may be conducted via this device 102 b (see FIGS. 6and 7 and corresponding description below). The multi-personauthentication request 122 may further include an identifier of the data110 and/or application(s) 112 to which the user 104 is requestingaccess. This information may facilitate the identification of one ormore confirming users 136 a,b to whom a notification 132 a,b should beprovided (see step 508).

At step 504, the multi-person authentication server 124 provides achallenge-response message 130 to a requesting user device 102 a,b. Forexample, the multi-person authentication server 124 may identify, basedon user information included in the multi-person authentication request122, a device 102 a,b to which the challenge-response message 130 shouldbe sent and may send this message 130 to the identified device 102 a,b.The challenge-response message 130 includes instructions to beginmulti-person authentication tasks at the user device 102 a,b (see FIGS.2A-2C and corresponding description above and FIGS. 6 and 7 andcorresponding description below). For example, the challenge-responsemessage 130 may indicate that user authentication is needed for therequesting user 104 based on one or both of a security credential (seeFIG. 2A) and facial recognition (see FIG. 2C). The challenge-responsemessage 130 may indicate a number of confirming users 136 a,b requiredto achieve multi-person authentication and the type of multi-personauthentication needed. For instance, the challenge-response message 130may include an indication of whether the confirming user 136 a,b needsto provide an indication that the requesting user 104 is approved foraccess (see request 356 of FIG. 3B), how many confirming user images(e.g., images 252 of FIGS. 2A and 2C) are needed to achieve multi-personauthentication, and the like.

At step 506, the multi-person authentication server 124 identifies oneor more confirming users 136 a,b to whom a notification 132 a,b shouldbe sent for multi-person authentication. For example, the confirmationprofiles 126 may be used to identify a confirming user 136 a,b who isappropriate for authenticating the user 104 based on the identity of theuser 104, a group in which the user 104 works, data 110 to which theuser 104 is requesting access, and/or application(s) 112 to which theuser 104 is requesting access. For instance, if the user 104 isrequesting to access a given application 408 a,b, the multi-personauthentication server 124 may identify an initial confirming useridentity 410 a,b corresponding to a confirming user 136 a,b to whom anotification should be sent first to authenticate sue of thisapplication 408 a,b (see FIG. 4 ).

At step 508, the multi-person authentication server 124 provides thenotification 132 a,b to the device 134 a,b of the user 136 a,bidentified at step 506. The notification 132 a,b includes instructionsfor initiating a simultaneous acquisition of an image 222 of theconfirming user 136 a,b. In some cases, authentication of the users 104and 136 a,b may only proceed once the images 222, 224 are visible on thedisplay 204 of the device 102 a,b. Facial recognition may be performedon each user's 104 and 136 a,b corresponding device 102 a,b or 136 a,b,respectively, as described above. For example, an authentication resultmay be provided to the requesting device 102 b.

At step 510, the multi-person authentication server 124 determines ifthe confirming user 136 a,b is responsive (e.g., within a predeterminedtime limit). For example, the multi-person authentication server 124 maydetermine whether the confirming device 134 a,b has been operated by theconfirming user 136 a,b to begin the confirming user's portion of themulti-person authentication process, for example, by entering a securitycredential (see FIG. 3A) and/or capturing an image 222 of the confirminguser 136 a,b (see FIG. 3B). If the confirming user 136 a,b is notresponsive, the multi-person authentication server 124 may return tostep 506 to identify a different confirming user 136 a,b (e.g., asubsequent confirming user 412 a,b for the application 408 a,b to whichthe user 104 is requesting access). Otherwise, if the confirming user136 a,b is responsive, the multi-person authentication server 124 mayproceed to step 512.

At step 512, the multi-person authentication server 124 determineswhether a verification response 138 is received from the requesting userdevice 102 a,b. As described above with respect to FIGS. 1 and 2A-2C,the verification response 138 generally indicates whether or not theuser 104 and user 136 a,b have been verified (e.g., based on the resultsof the facial recognition-based verification illustrated in FIGS. 2C and3B). Facial recognition may be performed simultaneously on therequesting user device 102 a,b (e.g., to authenticate the requestinguser 104) and the confirming user device 134 a,b (e.g., to authenticatethe confirming user 136 a,b). The multi-person authentication server 124may receive authentication results from the requesting user device 102a,b and the confirming user device 134 a,b (i.e., the verificationresponse 138 may represent these results received from the respectiveuser devices 102 a,b and 136 a,b). If a verification response 138 is notreceived, the multi-person authentication server 124 may proceed to step514 to determine whether greater than a threshold response time (e.g.,of five minutes or so) has elapsed, and if this is the case, access tothe secure server 108 may be prevented at step 520. However, if thethreshold response time has not elapsed, the multi-person authenticationserver 124 may continue to wait for the verification response 138 to bereceived. When the multi-person authentication server 124 determinesthat the verification response 138 is received at step 512, themulti-person authentication server 124 proceeds to step 516.

At step 516, the multi-person authentication server 124 determines ifthe requesting user 104 should be permitted to access the secure server108. For example, the multi-person authentication server 124 may use theauthentication instructions 128 to interpret the verification response138 and determine whether user access should be granted. For example,the authentication instructions 128 may indicate that the user 104should be permitted to access the secure server 108 if user credentialsentered in the requesting device 102 a,b are correct (see FIG. 2A) andimage verification is successful (see FIG. 2B). In some embodiments, theauthentication instructions 128 may further require that the confirminguser 136 a,b has confirmed that the requesting user 104 is known to beapproved to access the secure server 108 (see request 356 of FIG. 3B).

If the multi-person authentication server 124 determines that accessshould be granted at step 516, the multi-person authentication server124 may instruct the secure server 108 to allow the user 104 to accessthe secure server 108 at step 518 (e.g., or access at least therequested data 110 and/or application(s) 112). Otherwise, if themulti-person authentication server 124 determines that access should notbe granted at step 516, the multi-person authentication server 124 mayinstruct the secure server 108 to prevent the user 104 from accessingthe secure server 108 at step 520.

Example Requesting User Device and its Operation

FIG. 6 is an example of a requesting user device 102 a,b of FIGS. 1 and2A-2C. The requesting user device 102 a,b includes a processor 602, amemory 604, a network interface 606, and a camera 202. The requestinguser device 102 a,b may be configured as shown or in any other suitableconfiguration.

The processor 602 comprises one or more processors operably coupled tothe memory 604. The processor 602 is any electronic circuitry including,but not limited to, state machines, one or more central processing unit(CPU) chips, logic units, cores (e.g. a multi-core processor),field-programmable gate array (FPGAs), application specific integratedcircuits (ASICs), or digital signal processors (DSPs). The processor 602may be a programmable logic device, a microcontroller, a microprocessor,or any suitable combination of the preceding. The processor 602 iscommunicatively coupled to and in signal communication with the memory604 and the network interface 606. The one or more processors areconfigured to process data and may be implemented in hardware orsoftware. For example, the processor 602 may be 8-bit, 16-bit, 32-bit,64-bit or of any other suitable architecture. The processor 602 mayinclude an arithmetic logic unit (ALU) for performing arithmetic andlogic operations, processor registers that supply operands to the ALUand store the results of ALU operations, and a control unit that fetchesinstructions from memory and executes them by directing the coordinatedoperations of the ALU, registers and other components. The one or moreprocessors are configured to implement various instructions. Forexample, the one or more processors are configured to executeinstructions to implement the function disclosed herein, such as some orall of those described with respect to FIGS. 1, 2A-2C, and 7. In someembodiments, the function described herein is implemented using logicunits, FPGAs, ASICs, DSPs, or any other suitable hardware or electroniccircuitry.

The memory 604 is operable to store any of the information describedwith respect to FIGS. 1, 2A-2C, and 7 along with any other data,instructions, logic, rules, or code operable to implement thefunction(s) described herein when executed by processor 602. Forexample, the memory 604 may store authentication-request applicationinstructions 608 which include any code, logic, and/or rules forimplementing the authentication-request application using the processor602. The memory 604 may store facial recognition instructions 610 andfacial recognition data 612. The facial recognition instructions 610include any code, logic, and/or rules for implementing facialrecognition (e.g., the identification of users 104, 136 a,b based onimages 222, 224 of FIGS. 2B and 2C). The facial recognition data 612includes the information used by the facial recognition data 612 toverify user identity based on images. For instance, the facialrecognition data 612 may include previously obtained images of users'faces and/or measurable characteristics of such images, which may beused to verify user identity by comparison to characteristics determinedfrom new user images (e.g., images 222, 224 of FIGS. 2A and 2B). Thememory 604 may further store authentication instructions 614 whichinclude any logic, code, or rules for authenticating users, for examplevia entry of security credentials (see, e.g., FIG. 2A regarding theentry of security credentials to operate the authentication-requestapplication on device 102 b). The memory 604 comprises one or moredisks, tape drives, or solid-state drives, and may be used as anover-flow data storage device, to store programs when such programs areselected for execution, and to store instructions and data that are readduring program execution. The memory 604 may be volatile or non-volatileand may comprise read-only memory (ROM), random-access memory (RAM),ternary content-addressable memory (TCAM), dynamic random-access memory(DRAM), and static random-access memory (SRAM).

The network interface 606 is configured to enable wired and/or wirelesscommunications. The network interface 606 is configured to communicatedata between the requesting user device 102 a,b and other networkdevices, systems, or domain(s). For example, the network interface 606may comprise a WIFI interface, a local area network (LAN) interface, awide area network (WAN) interface, a modem, a switch, or a router. Theprocessor 602 is configured to send and receive data using the networkinterface 606. The network interface 606 may be configured to use anysuitable type of communication protocol as would be appreciated by oneof ordinary skill in the art.

The camera 202 is configured to obtain an image of the user 104.Generally, the camera 202 may be any type of camera. For example, thecamera 202 may include one or more sensors, an aperture, one or morelenses, and a shutter. The camera 202 is in communication with theprocessor 602, which controls operations of the camera 202 (e.g.,opening/closing of the shutter, etc.). Data from the sensor(s) of thecamera 202 may be provided to the processor 602 and stored in the memory604 in an appropriate image format for facial recognition using thefacial recognition instructions 610.

FIG. 7 is a flow diagram illustrating an example method 700 ofmulti-person authentication. The method 700 may be implemented using therequesting user device 102 a,b of FIGS. 1, 2A-C, and 6. The method 700may begin at step 702 where a request 106 for access to the secureserver 108 is sent. For example, a user 104 of the requesting device 102a,b may provide an input which corresponds to a request to access thesecure server 108 (e.g., the user 104 may navigate to a web portal usedto access data 110 and/or application(s) 112). The request 106 mayinclude an identifier of the requesting device 102 a,b, the requestinguser 104, data 110 to which access is requested, and/or application(s)112 to which access is requested. In some cases, the request 106 mayinclude or be provided along with security credentials (e.g., forachieving an initial authentication performed by the authenticationserver 116).

At step 704, the requesting device 102 a,b (which may be the same device102 a,b that sent the request 106 at step 702 or a different device 102a,b) receives a challenge-response message 130. The challenge-responsemessage 130 may be received from the multi-person authentication server124 described above with respect to FIGS. 1, 4, and 5 . Thechallenge-response message 130 may include instructions to beginfacial-recognition based multi-person authentication, as described insubsequent steps 706 to 722.

At step 706, the requesting device 102 a,b receives security credentialsfor beginning multi-person authentication operations. For example, therequesting user 104 may input the security credentials as illustrated inFIG. 2A, described above. At step 708, the requesting device 102 a,bdetermines if the received security credentials are authenticated. Forexample, the requesting device 102 a,b may use the authenticationinstructions 614 to determine if the security credentials received atstep 706 match predefined credentials for the user 104. If the securitycredentials are not authenticated at step 708, the method 700 generallyends. Otherwise, if the security credentials are authenticated at step708, the requesting device 102 a,b proceeds to step 710.

At step 710, the requesting device 102 a,b captures an image 224 of therequesting user 104 and receives an image 222 of the confirming user 136a,b at the same time (see FIGS. 2B-2C). The captured image 224 generallyincludes at least a portion of the face of the requesting user 104. Theauthentication-request application may automatically begin operating thecamera 202 of the requesting device 102 a,b in order to capture theimage 224 of the user 104. In some cases, the image 224 may beautomatically captured when an acceptable view (i.e., a view whichincludes a large enough portion of the user's face) is included in theimage 224 and presented in a portion of the device's display 204 (seeFIG. 2B). Similarly, the image 22 of the confirming user 136 a,b mayalso include at least a portion of the face of the user 136 a,b suchthat facial recognition-based authentication may be performed theconfirming user device 134 a,b and/or the requesting device 102 a,b. Insome cases, the user 104 may press an appropriate button on the device102 a,b to capture the image 224.

At step 712, the requesting device 102 a,b receives an image 222 (e.g.,image 532 of FIG. 3B) of the confirming user 136 a,b. For example, theconfirming user 136 a,b identified by the multi-person authenticationserver 124 (see step 506 of FIG. 5 ) may capture an image 222 ofhimself/herself (see image 352 of FIG. 3B and step 908 of FIG. 9 ), andthis image 222 may be provided to the requesting device 102 a,b.

At step 714, the images 222 and 224 of the confirming user 136 a,b andrequesting user 104 may be presented on the display of the device 102a,b. For example, images 222, 224 may be presented in different portionsof the display 204 of the device 102 a,b, as illustrated in FIG. 2B. Insome embodiments, the images 222, 224 are presented as videos, similarto a video chat session, as described with respect to FIG. 2B above.

At step 716, the requesting device 102 a,b uses facial recognition toidentify the requesting user 104 based on image 224. For example, incases where facial recognition is performed by the both the requestinguser device 102 a,b and the confirming user device 134 a,b, therequesting device 102 a,b may use the facial recognition instructions610 to identify user 104 and receive authentication results from device134 a,b regarding whether the confirming user 136 a,b is authenticated.The facial recognition instructions 610 may be used to identify the user104 based on a comparison of his/her corresponding image 224 (see FIGS.2B and 2C) to previously obtained images of the user 104. Anyappropriate method of facial recognition may be used to identify user104. As an example, the requesting device 102 a,b may use facialrecognition instructions 610 to identify a previous image of the face ofthe user 104 and compare image 224 to this previous image. A similarlyscore (e.g., a measure of the extent to which features in the previousimage and image 224 are the same or similar) may be determined for theimage 224. If the similarity score is greater than a threshold value,the requesting device 102 a,b may determine that the user 104 isverified as an authorized user of the secure server 108. A similarapproach may be used by the confirming user device 134 a,b to verify theidentity of the confirming user 136 a,b based on image 352 (see FIG.3B). For example, a similarly score (e.g., a measure of the extent towhich features in a previous image of the confirming user 136 a,b andimage 352 are the same or similar) may be determined for the image 352.If the similarity score is greater than a threshold value, theconfirming device 134 a,b may determine that the user 136 a,b isverified as an authorized administrator of the secure server 108. Thisverification may be sent as an authentication result to device 102 a,bto generate the verification response 138 to the challenge-responsemessage 130 sent from multi-person authentication server 124. In cases,where facial recognition is only performed by the requesting user device102 a,b, the requesting device 102 a,b may use the facial recognitioninstructions 610 to identify each user 104, 136 a,b participating inmulti-person authentication, similarly to as described above.

At step 718, the requesting device 102 a,b determines, based on theresults of facial recognition at step 716, if both users 104 and 136 a,bare confirmed to be authorized users and/or administrators. For example,the requesting device 102 a,b may determine whether the identity of therequesting user 104 (e.g., based on the identity determined from image224) matches an identity of a predetermined authorized user of thesecure server 108 and whether an authentication result from theconfirming user device 134 a,b indicates that 136 a,b is authenticated(e.g., that the identity of confirming user 136 a,b matches an identityof in individual with administrative privileges over the secure server108). For example, the requesting user device 102 a,b and confirminguser device 134 a,b may determine if faces in images 224 and 352 matchpreviously captured images of faces in the facial recognition data 612and 814 that correspond to authorized users and/or administrators of thesecure server 108.

At step 720, the requesting device 102 a,b generates a verificationresponse 138 that indicates that the user 104 should be granted accessto the secure server 108. At step 722 the verification response 138 issent to the multi-person authentication server 124 described above withrespect to FIGS. 1, 4, and 5 . After the verification response 138 issent, the user device 102 a,b may access the secure server 108 at step724. For example, the requesting device 102 a,b may access requesteddata 110 and/or application(s) 112, such that the user 104 may viewrequested data 110 and/or use requested application(s) 112.

Example Confirming User Device and its Operation

FIG. 8 is an example of a confirming user device 134 a,b of FIGS. 1 and3A-3B. The confirming user device 134 a,b includes a processor 802, amemory 804, a network interface 806, and a camera 302. The confirminguser device 134 a,b may be configured as shown or in any other suitableconfiguration.

The processor 802 comprises one or more processors operably coupled tothe memory 804. The processor 802 is any electronic circuitry including,but not limited to, state machines, one or more central processing unit(CPU) chips, logic units, cores (e.g. a multi-core processor),field-programmable gate array (FPGAs), application specific integratedcircuits (ASICs), or digital signal processors (DSPs). The processor 802may be a programmable logic device, a microcontroller, a microprocessor,or any suitable combination of the preceding. The processor 802 iscommunicatively coupled to and in signal communication with the memory804 and the network interface 806. The one or more processors areconfigured to process data and may be implemented in hardware orsoftware. For example, the processor 802 may be 8-bit, 16-bit, 32-bit,64-bit or of any other suitable architecture. The processor 802 mayinclude an arithmetic logic unit (ALU) for performing arithmetic andlogic operations, processor registers that supply operands to the ALUand store the results of ALU operations, and a control unit that fetchesinstructions from memory and executes them by directing the coordinatedoperations of the ALU, registers and other components. The one or moreprocessors are configured to implement various instructions. Forexample, the one or more processors are configured to executeinstructions to implement the function disclosed herein, such as some orall of those described with respect to FIGS. 1, 3A-3B, and 9. In someembodiments, the function described herein is implemented using logicunits, FPGAs, ASICs, DSPs, or any other suitable hardware or electroniccircuitry.

The memory 804 is operable to store any of the information describedwith respect to FIGS. 1, 3A-3B, and 9 along with any other data,instructions, logic, rules, or code operable to implement thefunction(s) described herein when executed by processor 802. Forexample, the memory 804 may store authentication-confirmationapplication instructions 808 which include any code, logic, and/or rulesfor implementing the authentication-confirmation application using theprocessor 802. The memory 804 may further store authenticationinstructions 810 which include any logic, code, or rules forauthenticating users 136 a,b, for example, via entry of securitycredentials (see, e.g., FIG. 3A regarding the entry of securitycredentials to operate the authentication-confirmation application ondevice 134 a,b). The memory 804 may store facial recognitioninstructions 812 and facial recognition data 814. The facial recognitioninstructions 812 include any code, logic, and/or rules for implementingfacial recognition (e.g., the identification of user 136 a,b based onimage 352 of FIG. 3B). The facial recognition data 814 includes theinformation used by the facial recognition data 814 to verify useridentity based on images. For instance, the facial recognition data 814may include previously obtained images of users' faces and/or measurablecharacteristics of such images, which may be used to verify useridentity by comparison to characteristics determined from new userimages (e.g., images 352 of FIG. 3B). The memory 804 comprises one ormore disks, tape drives, or solid-state drives, and may be used as anover-flow data storage device, to store programs when such programs areselected for execution, and to store instructions and data that are readduring program execution. The memory 804 may be volatile or non-volatileand may comprise read-only memory (ROM), random-access memory (RAM),ternary content-addressable memory (TCAM), dynamic random-access memory(DRAM), and static random-access memory (SRAM).

The network interface 806 is configured to enable wired and/or wirelesscommunications. The network interface 806 is configured to communicatedata between the confirming user device 134 a,b and other networkdevices, systems, or domain(s). For example, the network interface 806may comprise a WIFI interface, a local area network (LAN) interface, awide area network (WAN) interface, a modem, a switch, or a router. Theprocessor 802 is configured to send and receive data using the networkinterface 806. The network interface 806 may be configured to use anysuitable type of communication protocol as would be appreciated by oneof ordinary skill in the art.

The camera 302 is configured to obtain an image of the user 136 a,b.Generally, the camera 302 may be any type of camera. For example, thecamera 302 may include one or more sensors, an aperture, one or morelenses, and a shutter. The camera 302 is in communication with theprocessor 802, which controls operations of the camera 302 (e.g.,opening/closing of the shutter, etc.). Data from the sensor(s) of thecamera 302 may be provided to the processor 802 and stored in the memory804 in an appropriate image format (e.g., for facial recognition usingthe facial recognition instructions 812 of the confirming user device134 a,b).

FIG. 9 is a flow diagram illustrating an example method 900 ofmulti-person authentication. The method 900 may be implemented using theconfirming user device of FIGS. 1, 3A-3B, and 8 . The method 900 maybegin at step 902 where a push notification 132 a,b is received by theconfirming user device 134 a,b. The push notification 132 a,b mayinclude instructions to initiate acquisition of an image 352 of theconfirming user 136 a,b and provide the image 354 and, in some cases, anauthentication result to the requesting device 102 b, for example, todetermine whether users 104 and 136 a,b are authenticated and provide acorresponding verification response 138 to the challenge-responsemessage 130 sent by the multi-person authentication system 124.

At step 904, the confirming user device 134 a,b receives securitycredentials for beginning multi-person authentication operations. Forexample, the confirming user 136 a,b may input security credentials asillustrated in FIG. 3A, described above. At step 906, the confirminguser device 134 a,b determines if the received security credentials areauthenticated. For example, the confirming user device 134 a,b may usethe authentication instructions 910 to determine if the securitycredentials received at step 904 match predefined credentials for theuser 136 a,b. If the security credentials are not authenticated at step906, the method 900 generally ends. Otherwise, if the securitycredentials are authenticated at step 906, the confirming user device134 a,b proceeds to step 908.

At step 908, the confirming user device 134 a,b captures an image 352 ofthe confirming user 136 a,b (see FIG. 3B). The captured image 352 mayalso be provided to the requesting user device 102 a,b such that it maybe displayed as image 222 of FIGS. 2B and 2C). The captured image 352generally includes at least a portion of the face of the confirming user136 a,b. The authentication-confirmation application may automaticallybegin operating the camera 302 of the confirming user device 134 a,b inorder to capture the image 352 of the user 136 a,b if user 104 is alsoin frame. In some cases, the user 136 a,b may press an appropriatebutton on the device 134 a,b to capture the image 352.

At step 910, the confirming user device 134 a,b receives an image 354 ofthe requesting user 104. For example, the user 104 requesting access tothe secure server 108 may capture on image 354 of himself/herself (seeFIG. 2B and step 710 of FIG. 7 ), and this image 354 (e.g., image 224 ofFIG. 2B-2C) may be provided to the confirming user device 134 a,b. Atstep 912, the images 352 and 354 of the confirming user 136 a,b andrequesting user 104 may be presented on the display of the device 134a,b. For example, images 352, 354 may be presented in different portionsof the display 304 of the device 134 a,b, as illustrated in FIG. 3B. Insome embodiments, the images 352, 354 are presented as videos, similarto a video chat session, as described with respect to FIG. 3B above

At step 914, the confirming user device 134 a,b may optionally receivean input regarding whether the image 354 of the requesting user 104 isan image of a known approved user of the secure server 108. For example,as illustrated in FIG. 3B, an input may confirm (e.g., via a user 136a,b selection of the “YES” button 358) or deny (e.g., by selecting the“NO” button 360) the user 104 access to the secure server 108. At step916, the confirming user device 134 a,b determines if the input fromstep 914 corresponds to the user 104 being approved to access the secureserver 108. For example, if the input received at step 914 correspondsto a confirmation that the user 104 should be allowed to access thesecure server 108 (e.g., if the input is a selection of the “YES” button358 of FIG. 3B), then the confirming user device 134 a,b provides theimage 352 of the confirming user 136 a,b, for example, such that it maybe used by the requesting user device 102 a,b for multi-personauthentication (see, e.g., image 224 of FIGS. 2B-2C and steps 712, 716,and 718 of FIG. 7 ). Otherwise, if the input received at step 914corresponds to a denial of permission for the request of the user 104 toaccess the secure server 108 (e.g., if the input is a selection of the“NO” button 360 of FIG. 3B), the image 252 may not be provided for useby the requesting user device 102 a,b, such that the user 104 cannot beauthenticated.

At step 918, the confirming user device 134 a,b uses facial recognitionto identify the confirming user 136 a,b based on image 352. For example,in cases where facial recognition is performed by the both therequesting user device 102 a,b and the confirming user device 134 a,b,the confirming user device 134 a,b may use the facial recognitioninstructions 812 to identify user 136 a,b. The facial recognitioninstructions 812 may be used to identify the user 136 a,b based on acomparison of his/her corresponding image 352 (see FIG. 3B) topreviously obtained images of the user 136 a,b. Any appropriate methodof facial recognition may be used to identify user 136 a,b. As anexample, the confirming user device 134 a,b may use facial recognitioninstructions 812 to identify a previous image of the face of the user136 a,b and compare image 352 to this previous image. A similarly score(e.g., a measure of the extent to which features in the previous imageand image 352 are the same or similar) may be determined for the image352. If the similarity score is greater than a threshold value, theconfirming user device 134 a,b may determine that the user 104 isverified as an authorized user of the secure server 108 at step 920, 920results

If at step 920, the confirming user device 134 a,b determines that theconfirming user 136 a,b is authenticated, the confirming user device 134a,b may provide authentication results, for use by device 102 a,b,indicating the user 136 a,b is authenticated at step 922. If the user104 is also verified by device 102 a,b, the confirming user device 134a,b may receive an indication of this and display an indicator 366reflecting that the user 136 a,b and the user 104 are verified. If atstep 920, the confirming user device 134 a,b determines that theconfirming user 136 a,b is not authenticated, the confirming user device134 a,b may provide authentication results, for use by device 102 a,b,indicating the user 136 a,b is authenticated at step 924. In such cases,the requesting user 104 is not allowed to access the secure server 108.

Example Devices for Other System Components

FIG. 10 is an embodiment of a device 1000 which may be used to implementvarious components of the system 100 illustrated in FIG. 1 . Forexample, each of the secure server 108, the authentication server 116,and the multi-person authentication server 124 of FIG. 1 may beimplemented using a corresponding device 1000 or a correspondingcollection of devices 1000. The device 1000 includes a processor 1002, amemory 1004, and a network interface 1006. The device 1000 may beconfigured as shown or in any other suitable configuration.

The processor 1002 comprises one or more processors operably coupled tothe memory 1004. The processor 1002 is any electronic circuitryincluding, but not limited to, state machines, one or more centralprocessing unit (CPU) chips, logic units, cores (e.g. a multi-coreprocessor), field-programmable gate array (FPGAs), application specificintegrated circuits (ASICs), or digital signal processors (DSPs). Theprocessor 1002 may be a programmable logic device, a microcontroller, amicroprocessor, or any suitable combination of the preceding. Theprocessor 1002 is communicatively coupled to and in signal communicationwith the memory 1004 and the network interface 1006. The one or moreprocessors are configured to process data and may be implemented inhardware or software. For example, the processor 1002 may be 8-bit,16-bit, 32-bit, 64-bit or of any other suitable architecture. Theprocessor 1002 may include an arithmetic logic unit (ALU) for performingarithmetic and logic operations, processor registers that supplyoperands to the ALU and store the results of ALU operations, and acontrol unit that fetches instructions from memory and executes them bydirecting the coordinated operations of the ALU, registers and othercomponents. The one or more processors are configured to implementvarious instructions. For example, the one or more processors areconfigured to execute instructions to implement the function disclosedherein. In some embodiments, the function described herein isimplemented using logic units, FPGAs, ASICs, DSPs, or any other suitablehardware or electronic circuitry.

The memory 1004 is operable to store any of the information describedabove with respect to FIGS. 1-9 along with any other data, instructions,logic, rules, or code operable to implement the function(s) of thesecure server 108 and/or authentication server 116 described herein whenexecuted by processor 1002. For example, the memory 1004 may store thedata 110, code for application(s) 112, the authentication instructions118, 128, and/or the confirmation profiles, which are described abovewith respect to FIGS. 1, 4, and 5 . The memory 1004 comprises one ormore disks, tape drives, or solid-state drives, and may be used as anover-flow data storage device, to store programs when such programs areselected for execution, and to store instructions and data that are readduring program execution. The memory 1004 may be volatile ornon-volatile and may comprise read-only memory (ROM), random-accessmemory (RAM), ternary content-addressable memory (TCAM), dynamicrandom-access memory (DRAM), and static random-access memory (SRAM).

The network interface 1006 is configured to enable wired and/or wirelesscommunications. The network interface 1006 is configured to communicatedata between the device 1000 and other network devices, systems, ordomain(s). For example, the network interface 1006 may comprise a WIFIinterface, a local area network (LAN) interface, a wide area network(WAN) interface, a modem, a switch, or a router. The processor 1002 isconfigured to send and receive data using the network interface 1006.The network interface 1006 may be configured to use any suitable type ofcommunication protocol as would be appreciated by one of ordinary skillin the art.

While several embodiments have been provided in this disclosure, itshould be understood that the disclosed systems and methods might beembodied in many other specific forms without departing from the spiritor scope of this disclosure. The present examples are to be consideredas illustrative and not restrictive, and the intention is not to belimited to the details given herein. For example, the various elementsor components may be combined or integrated in another system or certainfeatures may be omitted, or not implemented.

In addition, techniques, systems, subsystems, and methods described andillustrated in the various embodiments as discrete or separate may becombined or integrated with other systems, modules, techniques, ormethods without departing from the scope of this disclosure. Other itemsshown or discussed as coupled or directly coupled or communicating witheach other may be indirectly coupled or communicating through someinterface, device, or intermediate component whether electrically,mechanically, or otherwise. Other examples of changes, substitutions,and alterations are ascertainable by one skilled in the art and could bemade without departing from the spirit and scope disclosed herein.

To aid the Patent Office, and any readers of any patent issued on thisapplication in interpreting the claims appended hereto, applicants notethat they do not intend any of the appended claims to invoke 35 U.S.C. §112(f) as it exists on the date of filing hereof unless the words “meansfor” or “step for” are explicitly used in the particular claim.

What is claimed is:
 1. A system, comprising: a secure server configuredto host one or more secure applications; and a first user devicecomprising: a camera operable to capture a first image of a first userof the user device; and a processor communicatively coupled to thecamera and configured to: receive a challenge-response messageassociated with a request for access to the secure server; receive afirst image of the first user, wherein the first image comprises animage of at least a portion of a face of the first user; receive asecond image of a second user of a second user device and anauthentication result determined by the second user device, wherein thesecond image comprises an image of at least a portion of a face of thesecond user; determine that the face of the first user included in thefirst image corresponds to a face of an authorized user of the secureserver; determine that the authentication result indicates that the faceof the second user corresponds to the face of the authorizedadministrator of the secure server; and generate a response to thechallenge-response message that indicates the first user is authorizedto access the secure server.
 2. The system of claim 1, wherein theprocessor is further configured to: receive user credentials; anddetermine that the received credentials correspond to predeterminedcredentials for the first user.
 3. The system of claim 1, wherein theprocessor is further configured to: present the first image of the firstuser in a first portion of a display of the first device; and presentthe second image of the second user in a second portion of a display ofthe first device.
 4. The system of claim 1, wherein the processor isfurther configured to indicate in a display of the first device that thefirst user is verified.
 5. The system of claim 1, wherein the processoris further configured to: determine that the face of the first usercorresponds to the face of the authorized user of the secure server by:identifying a previous image of the face of the first user; comparingthe previous image of the face of the first user to the face of thefirst user in the first image; determining, based on the comparison ofthe previous image of the face of the first user to the face of thefirst user in the first image, a first similarity score between the facein the previous image and the face in the first image; if the similarityfirst score is greater than a threshold value, determining that the faceof the first user corresponds to the face of the authorized user of thesecure server.
 6. The system of claim 1, wherein the processor isfurther configured to access the secure server.
 7. The system of claim1, wherein the second user is an administrator of the secure server. 8.A method comprising: receiving a challenge-response message associatedwith a request for access to a secure server; receiving a first imagethat comprises an image of at least a portion of a face of the firstuser; receiving a second image of a second user of a second user deviceand an authentication result determined by the second user device,wherein the second image comprises an image of at least a portion of aface of the second user; determining that the face of the first userincluded in the first image corresponds to a face of an authorized userof the secure server; determining that the authentication resultindicates that the face of the second user corresponds to the face ofthe authorized administrator of the secure server; and generating aresponse to the challenge-response message that indicates the first useris authorized to access the secure server.
 9. The method of claim 8,further comprising: receiving user credentials; and determining that thereceived credentials correspond to predetermined credentials for thefirst user.
 10. The method of claim 8, further comprising: presentingthe first image of the first user in a first portion of a display of thefirst device; and presenting the second image of the second user in asecond portion of a display of the first device.
 11. The method of claim8, further comprising indicating in a display of the first device thatthe first user is verified.
 12. The method of claim 8, furthercomprising: determining that the face of the first user corresponds tothe face of the authorized user of the secure server by: identifying aprevious image of the face of the first user; comparing the previousimage of the face of the first user to the face of the first user in thefirst image; determining, based on the comparison of the previous imageof the face of the first user to the face of the first user in the firstimage, a first similarity score between the face in the previous imageand the face in the first image; if the similarity first score isgreater than a threshold value, determining that the face of the firstuser corresponds to the face of the authorized user of the secureserver.
 13. The method of claim 8, further comprising accessing thesecure server.
 14. The method of claim 8, wherein the second user is anadministrator of the secure server.
 15. A device comprising: a cameraoperable to capture a first image of a first user of the user device;and a processor communicatively coupled to the camera and configured to:receive a challenge-response message associated with a request foraccess to the secure server, receive a first image of the first user,wherein the first image comprises an image of at least a portion of aface of the first user; receive a second image of a second user of asecond user device and an authentication result determined by the seconduser device, wherein the second image comprises an image of at least aportion of a face of the second user,; determine that the image of theface of the first user included in the first image corresponds to a faceof an authorized user of the secure server; determine that theauthentication result indicates that the face of the second usercorresponds to the face of the authorized administrator of the secureserver; and generate a response to the challenge-response message thatindicates the first user is authorized to access the secure server. 16.The device of claim 15, wherein the processor is further configured to,:receive user credentials; and determine that the received credentialscorrespond to predetermined credentials for the first user.
 17. Thedevice of claim 15, wherein the processor is further configured to:present the first image of the first user in a first portion of adisplay of the first device; and present the second image of the seconduser in a second portion of a display of the first device.
 18. Thedevice of claim 15, wherein the processor is further configured toindicate in a display of the first device that the first user isverified.
 19. The device of claim 15, wherein the processor is furtherconfigured to: determine that the face of the first user corresponds tothe face of the authorized user of the secure server by: identifying aprevious image of the face of the first user; comparing the previousimage of the face of the first user to the face of the first user in thefirst image; determining, based on the comparison of the previous imageof the face of the first user to the face of the first user in the firstimage, a first similarity score between the face in the previous imageand the face in the first image; if the similarity first score isgreater than a threshold value, determining that the face of the firstuser corresponds to the face of the authorized user of the secureserver.
 20. The device of claim 15, wherein the processor is furtherconfigured to access the secure server.